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STRUCTURE COMPUTATION AND DISCRETE LOGARITHMS 
IN FINITE ABELIAN p-GROUPS 

ANDREW V. SUTHERLAND 



Abstract. We present a generic algorithm for computing discrete logarithms 
in a finite abelian p-group H , improving the Pohlig-Hellman algorithm and 
its generalization to noncyclic groups by Teske. We then give a direct method 
to compute a basis for H without using a relation matrix. The problem of 
computing a basis for some or all of the Sylow p-subgroups of an arbitrary finite 
abelian group G is addressed, yielding a Monte Carlo algorithm to compute the 
structure of G using 0(|G|^''^) group operations. These results also improve 
generic algorithms for extracting pth roots in G. 



1. Introduction 

The discrete logarithm plays two opposing roles in group computations. As a 
constructive tool, discrete logarithms are the key ingredient in generic algorithms 
for extracting roots (including square roots in finite fields) [2 [23l [271 [31] and for 
computing group structure [71 [51 [551 UHl [30] ■ On the other hand, a wide range of 
cryptographic applications depend on the essential difficulty of computing discrete 
logarithms in the worst case (see [TS] or [T7] for a survey). 

Typically the discrete logarithm is defined in the context of a cyclic group: for 
any (3 S (a) there is a unique nonnegative integer x < |a| for which j3 — . More 
generally, given a. = (ai, . . . , a^), if every (3 € (a) can be written uniquely a^ 

with < Xi < \ai\, then x = DL(q;,/?) is the discrete logarithm of /3 with respect 
to a, and we call the vector a a basis for the group it generates. We work in 
the computational framework of generic group algorithms, as defined, for example, 
in [26j . Thus we suppose that a "black box" is used to perform group operations, 
possibly including the provision of random elements, with each group element ar- 
bitrarily assigned a unique identifier. 

We are interested in constructive applications of the discrete logarithm, but let 
us first recall the negative result of Shoup [53]. Any generic algorithm to com- 
pute discrete logarithms in a finite abelian group G with prime exponen10 uses 
f2(|G|^^^) group operations. A matching upper bound is achieved, for cyclic groups, 
by Shanks' baby-step giant-step algorithm [52] and (probabilistically) by Pollard's 
rho method [501 HH] • Both algorithms can be generalized to compute discrete loga- 
rithms in any finite abelian group using OdGji/^) group operations [a[2i[28]. 



2000 Mathematics Subject Classification. Primary 11Y16; Secondary 20K01, 12Y05. 
^Consistent with our use of the word "logarithm", we write groups multiplicatively. 
^The exponent of G is the least positive integer n for which a" = la for all a G G. 
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However, when the exponent of the group is not prime, we can do better. This 
was proven for cycUc groups by Pohhg and Hellman [19j and later generahzed by 
Teske \W E 

The Pohhg-Hellman approach reUes on computing discrete logarithms 
in subgroups of the given group. The reduction to subgroups of prime-power order 
is straightforward, hence we focus primarily on abelian p-groups. 

If a is a basis for a finite abelian group G of exponent and rank Teske's 
generalization of the Pohlig-Hellman algorithm computes DL(q:,/3) using 

(1) To,(G) =0(TOlg|G|+m//2) 

group operations [3D1 Thm. 6.1]Q When m = 1 this reduces to the 0(|G|^/^) 
upper bound mentioned above. If p and r are small (when computing square 
roots in finite fields, for example, r — I and p — 2) the first term dominates 
and the complexity becomes 0{n^), where n — lg|G|. For cyclic groups this can 
be improved to O(nlgn) [25l §11.2.3], and we achieve here an 0{n\gn/ \g\gn) 
bound for arbitrary finite abelian groups when p and r are suitably bounded. More 
generally. Algorithm [T] computes DL{a., (3) using 

group operations, improving the dependence on m in both terms of (fT|). 

Discrete logarithms may be applied to compute the structure of a finite abelian 
group. Typically, one uses discrete logarithms to construct a relation matrix, which 
is then reduced to yield a basis by computing the Smith normal form fT, '8', "28^ . We 
take a simpler (and faster) approach, using our algorithm for discrete logarithms 
to directly construct a basis. Given a generating set S for a finite abelian p-group 
G of rank r, we give a deterministic generic algorithm to construct a basis using 

(3) T^iS) = O (lg2+^ |G| + i\S\ ~ r + l)T^aG)) 

group operations, improving the 0(|5||G|^/^) result of Buchmann and Schmidt [8]. 

The bound in ([3]) is minimized when \S\ ~ r. If we pick a random subset 
S C G, of size r + 0(1), then S generates G with very high probability [21]. When 
combined with an algorithm to compute the group exponent, this yields a generic 
Monte Carlo algorithm to compute the structure of an arbitrary finite abelian group 
using 0(|G|^/^) operations. When sufficiently tight bounds on the group order are 
known, this can be converted to a Las Vegas algorithm. 

This approach can also be applied to a Sylow p-subgroup H C G. If the group 
exponent (or order) is known, the complexity then depends primarily on the size 
and shape of H, not G. This is useful when extracting pth roots in G, which only 
requires a basis for H [27] . 

2. Abelian ^-groups and Young tableaux 

We begin by describing a bijection between finite abelian p-groups and Young 
tableaux that motivates our approach and allows us to fix some terminology. 

We work in this section and the next with a basis a — (ai , . . . , a^) for an abelian 
p-group G of order p", exponent p™, and p-rank (rank) r. We let \ai\ = p"' and 

■^Pohlig and Hellman credit Roland Silver, and also Richard Schroeppel and H. Block, for 
(unpublished) independent discovery of the same algorithm |19l p. 107] . 

^Teske actually addresses a more general problem: find the minimal nontrivial solution {x, y) 
to = ct^, which we consider in Section |4] Note that we use Iga; = log2 a; throughout. 
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assume that m = ni > • • • > > 1- Up to isomorphism, G is determined by the 
integer partition 7r(G) = (ni, . . . , Ur). For example, if 

(4) G ^ X Z/p^Z X Z/pZ, 

then 7r(G) = (5, 3, 1) is a partition of n = 9 into three parts, with Young diagram: 



A cyche group has r — 1 and a single row in its diagram, while a group with prime 
exponent has m = 1 and a single column. In our example, G has r = 3 and m — 5. 
For each /3 G G, we regard x = DL(a, jS) as an element of the ring 

(5) E„ = X • • • X = Z/p"iZ X • • • X Z/p"'-Z. 

The additive group of Ra is isomorphic to G, via the map x (the inverse 

map sends (3 to DL(a, (3)). We may write the components of a; e Ra in base p as 

— ^ 

3 = 1 

where Xi^i is the most significant digit (and may be zero). We can then represent x 
(and f3 = a^) by a Young tableau of shape 7r(G) with label Xij in the ith row and 
jth column. For our example G in ([4]), if p = 2 and x = (13, 5, 1), we have 






1 


1 





1 


1 





1 






1 











(6) 

corresponding to P — ex'" — aj'^alaa. 

We wish to split the tableau above into left and right halves, allowing us to write 

X = qv + u. 

The vector q is a "shift" vector whose components are powers of p, while v and u 
correspond to the left and right halves of x respectively. These vectors are obtained 
by computing discrete logarithms in certain subgroups of G, as we now describe. 

If we multiply x (exponentiate f3) by the integer scalar p'' , this shifts the labels 
of the tableau to the left k places, leaving zeros on the right. In our example, if 
k = 2, we have 4x = (20, 4, 0), yielding 



1 





1 


o|o| 


1 




















af^a2- The element (3^ lies in 



(7) 

(with shifted labels in bold), corresponding to 
the subgroup of p'^th powers in G, 

(8) GP' = {pP' : /3 e G}, 

which has a basifl 7 defined by = af . The diagram of G^*" corresponds to the 
m — k rightmost columns in the diagram of G. In our example we have the shape 
^(G4) = (3,l,0) = (3,l). 



^Our definition of a basis allows -y to contain trivial elements. In practice we may truncate f. 
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Now let u = DL(7,/3P ). The vector u is an element of R^, but as a vector of 
integers written in base p, each component of u contains the low order m — k digits 
of the corresponding component of x. We may "clear" these digits of x to obtain 
z € Ra by subtracting u from x (in Z""), to obtain a reduced element of Ra. In 
our example we have u — {5,1,0), z — (8, 4, 1) and the tableau 






1 





o|o| 


1 










1 









(9) 

with the entries unaffected by subtracting u from x in bold. The element (ia^'^ 
has order at most and lies in the p'^-torsion subgroup 

(10) Gb'^] = {/3 : P^" = lo, /3 e G}. 

A basis 5 for G[p^] is given by 5i — af, where qi = priiax(o,ni-fc) ^ q^j^g diagram of 
Gb*^] corresponds to the k leftmost columns of the diagram of G. In our example, 
7r(G[4]) = (2,2,1). If we now let v DL(<5, /Ja""), then z = qv and 

X = qv + u 

as desired. In our example we have q — (8, 2, 1) and v = (1, 2, 1) yielding 

(13,5,1) = (8, 2,l)(l,2,l) + (5, 1,0). 

This equation effectively reconstructs the tableau in ^ by gluing together the bold 
portions of the tableaux in ([7]) and (O. 

Note that u and v were defined via discrete logarithms in the subgroups G^ 
and G[p''] respectively. This suggests a recursive approach, leading to base cases in 
subgroups corresponding to single columns in the Young diagram of G. 

3. Computing discrete logarithms 

A recursive algorithm, along the lines suggested above, yields an improvement 
over the result of Teske [15], and in the cyclic case is equivalent to Shoup's balanced 
divide-and-conquer version of the Pohlig-Hellman algorithm [25[ 11.2.3]. However, 
we can achieve a further speedup by broadening the recursion tree, allowing us 
to take advantage of fixed-base exponentiation techniques. At the same time, we 
can structure the algorithm to facilitate precomputation, an important practical 
optimization in applications that rely heavily on discrete logarithms [H [17| . 

We will need to compute discrete logarithms in various subgroups of the form 

(11) G{j,k) = {pP' -.pp" = la, f3eG}, 

for nonnegative integers j < k. The subgroup G{j, k) consists of all p^th powers of 
order at most p^~-' , and corresponds to columns j + 1 through k in the diagram 
of G. If G has exponent p™, then G = G(0, to). 

We wish to obtain a basis for G(j, k) from our given basis a = (ai, . . . , a^) for G. 
To this end, let = logp la^l, let = pi+max(o,ni-fe)^ ^^^^ define 

(12) q(j,fc) = (<7i,...,9.) and a(j, fc) = aS^^''^' = (a«S . . . , a'-). 
Then a.{i, k) is our desired basis, as we now show. 

Lemma 1. Let ot = [ai, . . . , a^) be a basis for a finite abelian G, and let j and k 
be nonnegative integers with j < k. Then a{j, k) is a basis for G{j, k). 
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Proof. Let 7 = a.{j, k). We first show that 7 is a basis for (7). Suppose for the sake 
of contradiction that 7^ = 7^ with x,y E B-y distinct. We must have Xi ^ yi for 
some i, which imphes 7^ 7^ Iq and (?i|7i| = \ai\. We also have a^O'^*:)^ = a'^^^-'^^y. 
As QiXi and Qii/i are distinct integers less than \ai\, the vectors q{j, k)x and g)?/ 
are distinct elements of But this is a contradiction, since a is a basis. 

We now prove (7) = G{j, k). Every 7^ is a p'th power (since p' \qi) and has order 
at most p^~^ (since p^'\p''~-' Qi), thus (7) C G{j,k). Conversely, for S e G{j,k), if 
X = DL{a.,5), then p'lxi and for each i. If fc < rii then p'^'"'^^^\xi, so 

(7i|a;i in every case. It follows that 5 £ (7), hence G{j,k) C (7). □ 

We now give a recursive algorithm to compute discrete logarithms in G{j,k), 
using a.{j, k) and q{j, k) as defined above. Note that if j < j' < k' < k, then 
each component of q{j,k) divides the corresponding component of q{j',k'), and 
we may then write q{j\ k')/q{j, k) to denote point-wise division. For convenience, 
let DLa(j, denote DL(a(j, /c), /3). We assume the availability of a standard 
algorithm for computing discrete logarithms in the base cases, as discussed below. 

Algorithm 1. Given a basis a for a finite abelian p-group G and t G Z>o, the 
following algorithm computes DLq,(j, k, (3) for integers < j < k and (3 G G{j, k): 

1. If fc — J < compute x ^ DLa{j, fc, /?) as a base case and return x. 

2. Choose integers ji, . . . , satisfying j ^ < j2 < . . . < j„ < j.^+i = fc. 

3. Compute 7,; — (3^^^ ' for i from 1 to w, and set a; ^ 0. 

4. For i from w down to 1: 

a. Recursively compute v ^ DLQ,(ji, ji+i, 7iQ:(ji, fc)"'^). 

b. Set x -f— sv + X, where s — q{ji,ji+i)/q{ji, fc). 

5. Return x. 

Example 1. Let G be cyclic of order p^^ with basis a, j — 6 and fc — 13. Then 
g(6, 13) = p6+max(o,i9-i3) ^ ^12 ^^^^j ^p^^ ^^^gjg f^j. ^(6,13). Let j2 = 8 and 

j3 = 11, SO that (6,13] is partitioned into sub-intervals (6,8], (8,11], and (11,13]. 
We then have (j(ll, 13) = p", q{8, 11) = p^'^, g(6, 8) = p", and also g(8, 13) = p^^. 
For /3 € 0(6, 13), Algorithm [T] computes 

i>3 = DL(aP",/3P'), 0:3 = ^3; 

V2 = BL{aP'\pp\~p'''=^), X2 ^p^V2+V3; 

ui = DL(aP ,Pa~P ""2), a:i = p^wi -f- p^V2 + W3. 

The final value x — xi contains 7 base p digits: 2 in vi, 3 in W2, and 2 in 1)3. 

Example 2. Suppose instead that G is cyclic of order p^, but keep the other 
parameters as above. We then have g(6, 13) — p^, q{ll, 13) = p^^ , q{8, 11) = p^, 
q{6, 8) = p'^ , and q(8, 13) = p^. For /3 e G(6, 13), the algorithm now computes 

U3 = DL(1g, 1g), X3^V3^0; 

V2 = DL(aP',/3P'a-p'"^), X2 = 1^2; 

wi = DL(q!P , (3a~^ ^^), Xi — pvi + V2- 

The computation of 2:3 requires no group operations; the algorithm can determine 
a(ll, 13) = 1g from the fact that 11 > 9 (since \a\ = p^ is given). The final value 
X = xi contains 3 base p digits: 2 in vi and 1 in t>2. 
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These examples illustrate the general situation; we compute discrete logarithms 
in r cyclic groups in parallel. The second example is contrived, but it shows what 
happens when a cyclic factor of G has order less than . 

We assume that no cost is incurred by trivial operations (those involving the 
identity element). As a practical optimization, the loop in Step 4 may begin with 
the largest i for which 7^ 7^ 1^ (it will compute a; = up to this point in any event). 

The correctness of Algorithm [T] follows inductively from the lemma below. 

Lemma 2. Let ol he a basis for a finite abelian p-group G and let k' , and k 
be integers with < j < j' < k' < k. For all [3 £ G{j, k) the following hold: 

(i) //a; = DL„(fc',fc,/3P'°'"') and j = (3p'' a{j' , k^ , then e G{j' ,k'). 

(ii) If we also have v = DLQ,(j', fc', 7) and s = q{j' , k')/q{j' , k), 
then sv + X = DLa{j' , k, ^). 

j'—j ■' 

Proof. For (i), note that /3 is a p^th power, so pP is a p' th power, and every 
element of {<y.{j' , k)) is a p^ th power, hence 7 is a p^ th power. We also have 

k' - j' 

7^"'"' = (/3^''"a(j', k)--y = /3P'="^a(/, kyp"'-'-. 

It follows from the definition in (fT2|l that a{j',k)~P ^ ^ = a{k',k)^'^, since we 
have j' + max(0, Ui — k) + k' — j' = k' + max(0, n.^ — k). We then obtain 

Y"'''' ^f3P'''''a{k',k)-^ =f5P'''~\l3P''''')-^ = la. 

Thus 7 has order at most p^ , and therefore 7 e G{j' , k'), proving (i). 

Note that k' < k implies max(0, Ui — k') > max(0, Ui — k), so q{j' , k') is divisible 
(component-wise) by q{j',k), and s in (ii) is well defined. Now 

a{j\ky" = a'jO^'^)^'' = a-jO'.fc')^ ^ a{j\k'y = 7 = pP''^' aij^ky , 

and therefore a{j' , k)^""^^ — j3P' \ proving (ii). □ 

We now consider the parameter t in Algorithm [1] If p^ is small, we precompute 
a lookup table for G(0, t), containing at most p''* group elements, for some suitable 
value oft. This will handle all the base cases, since they arise in subgroups G(j, k) of 
0(0, t), where k — j < t. This is especially effective when one can amortize the cost 
over many discrete logarithm computations, in which case a larger t is beneficial. 
In applications where p^ = 0(1), one typically chooses t to be logarithmic in the 
relevant problem size (which may be larger than \G\). 

When p^ is large, we instead set t = 1 and use a standard 0{VN) algorithm for 
computing discrete logarithms in finite abelian groups. A space-efficient algorithm 
derived from Pollard's rho method is given in [28j, and a baby-steps giant-steps 
variant can be found in Alg. 9.3] (see Section [S] for optimizations). 

When partitioning the interval {j, k] into subintervals in Step 2, we assume the 
subintervals are of approximately equal size, as determined by the choice of w. The 
choice w = k — j limits the recursion depth to 1 and corresponds to the standard 
Pohlig-Hellman algorithm. The choice w = 2 yields a balanced binary recursion 
tree. This might appear to be an optimal choice, but we can actually do better 
with a somewhat larger choice of w, using fixed-base exponentiation techniques. 

We recall a theorem of Yao. 
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Theorem 1 (Yacfl). There is an online algorithm that, given 7 G G and any input 
sequence of positive integers ei, . . . ,ew, outputs 7*^^ , • ■ • , 7'^™ using at most 



lglg(e, + 2) 

multiplications, where E — maxijei} and c < 2 is a constant^ 

The online algorithm in the theorem outputs 7'^' before receiving the input ei+i. 
If we set n = IgE, Yao's Theorem tells us that provided w = O(lgn), we can 
perform w exponentiations of a common base with n-bit exponents using just 0{n) 
multiplications, the same bound as when w = I. There are several algorithms 
that achieve Yao's bound [SI [SI [T^l [HI j and they typically require storage for 
0{n/\gn) group elements. 

Consider the execution of Algorithm 1 computing DL{a.,(3) = DL(0, m,/?). It 
will be convenient to label the levels of the recursion tree with ^ = at the bottom, 
and £ — d ed, the top, where d is the maximum depth of the recursion. At each 
level the interval (0, to] is partitioned into successively smaller subintervals. We let 
Sd = iTi denote the size of the initial interval at level d, and at level £ partition each 
interval into approximately W£ subintervals of maximum size Sf^i = \si/w£~\ and 
minimum size \_se /wi\ . 




In the tree above we start at level £ — 3 with s^ = m — 100 and W3 — 7, 
partitioning 100 into two subintervals of size S2 = 15 and five subintervals of size 14. 
We then have ^2 = 5 and si = 3, and finally wi = 3 and so = 1. The base cases 
are all at level in this example, but in general may also occur at level 1. The 
fan-out of each node at level £ is wi, except possibly at level 1 (in this example, we 
cannot partition 2 into three parts). 

Our strategy is to choose we ~ min(lg(s£ Igp), s^) and apply Yao's Theorem to 
bound the cost at each level of the recursion tree by 0(log \G\) group operations, 
not including the base cases. The standard Pohlig-Hellman approach reduces the 
problem to base cases in one level, potentially incurring a cost of 0(log^ |G|) to do 
so. A binary recursion uses 0(lg |G|) group operations at each level, but requires 
O(lgm) levels, while we only need 0{\gm/ \g\gm). 

With these ideas in mind, we now prove an absolute bound on the running time 
of Algorithm [1] An asymptotic bound appears in the corollary that follows. 



'Pippenger gives a better bound for large w, but not necessarily an online algorithm l5l I18|. 
For large E, the constant c approaches 1. 
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Proposition 1. Let a. — {ai, . . . , ar) be a basis for a finite abelian p-group G with 
rank r and exponent p™. Set nt — logp \ ai\, and let rj be the rank of the subgroup 
of pHh powers in G. There is a generic algorithm to compute DL(q;,/3) using 



group operations, where c is an absolute constant independent of G. 

When a probabilistic algorithm is used for the base cases (such as the rho 
method), the algorithm in the proposition is probabilistic and T-d-l{G) refers to the 
expected running time, but otherwise the algorithm is deterministic. The bound 
on T-dl{G) depends only on the structure of G, not the basis a. 

Proof of Proposition[Ji We use Algorithm [1] to compute DL(q;, /3) = DLq,(0, m, /3) 
using t = 1. As discussed above, we label the levels of the recursion tree with £ = 
at the base and £ = d at the root. We let se denote the size of the first interval at 
level £, and assume that all others have size at least se — 1 and at most se- Thus 
Sd — rn, and we recursively define se-i = \se/we~\ down to so = 1. To simplify the 
proof we use we = \\g{2se)~\ (independent of p), and assume ni — m. 

There is a base case in G{j,j + 1) for each < j < m, with \G{j,j + 1)| = p^^ . 
Applying either of the standard 0{^fN) discrete logarithm algorithms to the base 
cases yields the second sum in the bound for roL(G), with c « 2. 

At level £ of the recursion tree, the total cost of Step 3 is bounded by 



since m exponentiations by p are required. The total cost of the multiplications 
by 7i in Step 4a is bounded by T2{£) = m < Ig |q;i|. 

All other group operations occur in exponentiations in Step 4a. These are of 
the form ct{j',k)~^, where j < j' < k. To bound their cost, we consider the 
cost T{ai,£) associated to a particular ai at level £. The exponentiation of ai is 
nontrivial only when j' < Ui and Xi ^ 0. Thus to bound T(ai,£), we only count 
exponentiations with j' < ni, and only consider levels £ of the recursion tree with 
S£_i < Ui, since at all higher levels Xi will still be zero. 

In the recursive call to compute DLa(j, fc, (3), we may compute Q:(j', fc)^^ using 
fixed bases a~'S where q = q{j,k) as in (fT2|) . since q{j,k) divides q{j',k) for all 
j' ^ j- For each ai we can precompute all the a~''^ for a cost of 



At level £ > with sg-i < Ui, there are [rii/s/] instances of up to — 1 nontrivial 
exponentiations involving ai. These are computed using the common base Qf~'', 
with exponents bounded hy E = min(p'''^, \ai\). Applying Yao's Theorem, 



If Se > Ui, we replace \ni/se] by 1 and IgE by Ig \ai\, otherwise we replace IgE by 
sglgp. We then apply [z] < 2z (for z > 1) to remove both ceilings and obtain 




ri(£)<m(21gp) = 21g|ai|. 



To{a,) < 2n,lgP = 21g|a,|. 




(13) 
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E E= p"* then (we - 1)/ lglg(i; + 2) < 2. Otherwise E = |q:,,|, and then 
lg{E + 2)>n,> Sf^i + 1 = \si/wi \ + 1 > Si/{lgse + 2) + 1, 

which imphes {we - 1)/ lglg(£; + 2) < 3. This yields T{ai, I) < 26 Ig \ai\. 

It remains to bound the number of levels ^ > with se-i < rii. This is equal to 
the least £ for which si > rii, which we denote d[ni). We derive an upper bound 
on dijii) as a function of ni by proving a lower bound on as a function of 

We recall that Sq = 1 and for £ > we have wi = [lg(2s^)] > 2 and s/ > 2s£_i. 
This implies we > I + 1 and si > ise-i > i\ for all £ > 0. Stirling's formula yields 
a lower bound on se, from which one obtains the upper bound 

(14) din.)<''^^-^'-'^ 



lglg(n, + 2) 



valid for > 14. The lexicographically minimal sequence of integers satisfying 
So = 1 and Sf_i = [sf/[lg(2sf)]] for all ^ > begins 1,2,4,16,121,1441,..., and 
one finds that si, . . . , S13 satisfy (fH)l. with £ = rii and se = d{ni). 

The total cost of all computations outside of the base cases is then bounded by 



d(ni) 



^(T,w + r,w)+5:(roM+;^ rK,£)] < ii^^ig|a.|, 

where we use d = d{ni), and the constant c < 57. This yields the first sum in the 
bound for Tdl(G') and completes the proof. □ 

For the sake of brevity we have greatly overestimated the constant c in the proof 
above. Empirically, c is always less than 2, and typically close to 1 (see Section 16]). 

The space used by Algorithm 1 depends on how the base cases are handled, 
but can be bounded by 0(lg |G|/ Iglg |G|) group elements. There are at most 
d.(ni)^/ni distinct a,j ^' that need to be precomputed, which fits within this 
bound. In practice, additional precomputation using slightly more storage, perhaps 
0(lg |G|) elements, can accelerate both the exponentiations and the base cases [27] . 

For many groups arising "in nature", both sums in the bound for Tol{G) are 
typically dominated by their first terms. Divisor class groups of curves and ideal 
class groups of number fields are, at least heuristically, two examples. One often 
sees an L-shaped Young diagram, with n fa m + r, where n = logp \G\. Algorithm 1 
yields a useful improvement here, with a complexity of 0{p^^^) versus 
More generally, we have the following corollary. 

Corollary 1. Leta be a basis for a finite abelian p- group G of sizep", exponentp^, 
and rank r. There is a generic algorithm to compute DL(q;,/3) using 



To.(G)=0(if(f±^lg|G| + V^ 
\lglg(m + 2) r 



group operations. 



Proof. The first term is immediate from Proposition[l] since IgG = X]i=i 1§ \ and 
rii < m for all i. For the second term, consider X^i^Lo^ P*^'^^- have r = rg > ri 
and n = ro + ■ ■ ■ + rm-i- For fixed r and n, the worst case, up to a constant factor, 
occurs when the are roughly equal (one uses Lemma [H] to prove this). □ 
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The asymptotic upper bound on T-d-l{G) achieved here is nearly tight for generic 
algorithms. When r = 0{n), the bound in the corollary becomes 0{p^^^), matching 
Shoup's Q{p^/^) lower bound. Even when this is not the case, one may argue, along 
the lines of Shoup, that the sum ^p^^^^ in Proposition [T] is tight in any event. The 
first term in the corollary is 0{lg^'^'^ \G\), and one does not expect to do better than 
0(lg \G\), given an ^l{lg \G\) lower bound for exponentiation. 

To complete our discussion of discrete logarithms, we give an algorithm to com- 
pute DL(q;,/3) in an arbitrary finite abelian group G. We assume that a is a 
prime-power basis for G, composed of bases cxp for each of the Sylow p-subgroups 
of G. The construction of such a basis is discussed in the next section (and readily 
obtained from a given basis in any event). 

Algorithm 2. Given a prime-power basis ck for a finite abelian group G with 
\G\ — N = qi ■ ■ ■ Qk a factorization into powers of distinct primes pi, . . . ,pk, and 
(3 d G, the following algorithm computes x — DL(q;, f3): 

1. Let Alj — N/qj and compute Pj <— /3*^j for j from 1 to fc. 

2. Compute Xj ^ DL{a.p., (3j) using Algorithm [TJ 

3. Set X ^ Xi/Mi o • • • o Xk/Mk- 

The symbol "o" denotes concatenation of vectors. Since /3j^ = 1^, we must have 
(3j G (ctpj ) , and the components of ctp^ all have order a power of pj . The exponent 
vector Xj is thus divisible by Mj , since Mj is coprimc to pj and therefore a unit in 
each factor of the ring Ra^ ■ The correctness of Algorithm [2] follows easily. 

Let n ~ IgN. For k — O(lgn), the exponentiations in Step 1 can be performed 
using 0(n) group operations, by Yao's Theorem. As k approaches n, this bound 
increase to 0(n^/(lgn)^), and one should instead apply the 0(nlgn/lglgn) algo- 
rithm of [26l Alg. 7.4]. The total running time is then 

(15) To,(G) = O (^iil^lglGl) +E7^o.(G,J, 

group operations, where Gp- denotes the Sylow -subgroup of G. For sufficiently 
large \G\, the bound for To^{G) is dominated by the sum in ([TS]). 

4. Constructing a basis for a finite abelian p-group 

For a finite abelian group G, the group structure problem asks for a factor de- 
composition of G into cyclic groups of prime-power order, with a generator for each 
factor. This is equivalent to computing a basis for each of the (nontrivial) Sylow 
p-subgroups of G. We first suppose that G is a p-group, then give a reduction for 
the general case in Section [5] 

Typically, a basis is derived from a matrix of relations among elements of a 
generating set for the group [3 [HI [HI HH] ■ This generating set may be given, our 
obtained (with high probability) from a random sample. One then computes the 
Smith normal form of the relation matrix [111 §2.4], applying corresponding group 
operations to the generating set to produce a basis. 

Relations may be obtained via extended discrete logarithms. If a is a basis for 
a subgroup of G and f3 & G, then EDL(a, (3) is the pair (a;, y) satisfying (3^ = a.^ 
that minimizes y > 0, with x e Ra- In a p-group, y is necessarily a power of p. 
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While our approach does not require us to compute EDL(q;,/?), we note that 
any algorithm for DL(q;,/3) can be used to compute EDL(a,/3). 

Lemma 3. Given a basis a for a subgroup of a finite abelian p-group G and P £ G, 
there is a generic algorithm to compute EDL(q;,/3) using at most 

[lg(logp|/?|)]To.(G) + 21g|/3| 

group operations. 

Proof. Assume Algorithm [T] returns an error whenever a base case fails@ Compute 
(jP^ for < J < logp then use a binary search to find the least j for which one 
can successfully compute x = DL{a, (3^^ ). We then have EDL(a,/3) — {x,p^). □ 

Teske gives an algorithm to directly compute EDL(q;, /3), avoiding the lg(logp 
factor above, but this may still be slower than applying Lemma [3] to Algorithm [T] 
Alternatively, we may modify Algorithm[l]to solve a slightly easier problem. Instead 
of solving — a^, we seek a solution to (3^ — a.^^ . 

More specifically, let us define a function DLjj,(j, k, f3) that extends the function 
DLct{j, k, (3) computed by Algorithm 1. If a is a basis for a subgroup of an abelian 
p-group G and /3 G G,we wish to compute a pair {x,h), with x — DL^ (j + Zi, k, (3^'') 
and h > minimal. It may be that there is no h < k — j for which such a pair 
exists, and in this cas^ welet h — k — j and a; = 0. When a generates a subgroup 
with exponent p™, we use DL*(q;,/3) to denote DL^(0, m, /?). 

Algorithm 3. Let a be a basis for a subgroup of a finite abelian p-group G and 
let t G Z>o. Given f3 £ G and < j < k, compute (x.h) = DL^(j, fc, (3) as follows: 

1. If fc — j < t, compute (x, h) ^ DLjj,(j, fc,/9) as a base case. Return {x, h). 

2. Choose integers ji, . . . ,jw satisfying j = ji < j2 < ■ • • < .jw < jw+i = k. 

3. Compute 7^ = /3^^' ^ for i from 1 to w, and set a; <— 0. 

4. For i from w down to 1: 

a. Recursively compute {v,h) ^ DL^(ji, ji+i, 7iQ;(ji, A;)^^). 

b. Set X sv + X, where s ~ q{ji + h, ji^i)/q{ji + h, k). 

c. If /i > then return {x,j.i + h). 

5. Return (a;, 0). 

For t ~ 1, the base case simply computes x — DL(q;, jS) and returns (a;, 0), or (0, 1) 
if a failure occurs. When t > 1, one applies Lemma |3] (if a lookup table is used, 
this means 0{\gt) table lookups and 0{tlgp) group operations). 

Aside from the computation of h and the possibility of early termination, Algo- 
rithm 3 is essentially the same as Algorithm 1. Indeed, assuming i = 1, if {x, h) is 
the output of Algorithm 3, the sequence of group operations performed by Algo- 
rithm 1 on input will be effectively identical (ignoring operations involving the 
identity). Thus the complexity bounds in Proposition [T] and its corollary apply. 

To verify the correctness of Algorithm 3, we first note that \ih = k — j then the 
first base case must have failed and the output (0, h) is correct. If ft, < k~ j then it 

^Failure detection with baby-steps giant-steps or lookup table is easy. See [28] for a rho search. 
® Arguably, h should be logp \f}\ here (so that f}"^ = cx^ but this is less convenient. 
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follows from the correctness of Algorithm 1 that x = DLa{j + h, k, pP ). It is only 
necessary to check that his minimal, but if not, the base case DLci{j + h—l,j+h,f3') 
would have succeeded and h would be smaller. 

We now explain how to construct a basis using Algorithm 3. Let us start with 
a vector a consisting of a single element of G. Clearly a is a basis for the cyclic 
subgroup it generates, and we would like to extend a to a basis for all of G by 
adding elements to it one by one. This will only be possible if our basis at each 
step generates a subgroup H that is a factor of G (meaning G ^ H x G/H). Some 
care is required, since H need not be a factor of G, but let us first consider how to 
extend a basis. 

Given a basis a for a subgroup H of G, we say that 7 € G is independent of a 
if the vector a o 7 = (^ai, . . . ,0:^,7) is a basis for (a, 7), and write 7 _L a. The 
following lemma shows how and when one may use DL*(q:, /?) to obtain such a 7. 

Lemma 4. Let a be a basis for a subgroup of a finite abelian p-group G, with 
Hi = logp \ai\, rriQ = minrii, and m = maxn^. Let (3 d G and let 7 — j3oL''^ , where 
{x,h) = DL*(q:,/3). The following hold: 

(i) If\P\ then \-f \ ^ p'^ . 

(ii) If \fi\ < and \-f\ < p"'" then 7 _L a. 

Proof. If h < m then x = DLjj,(/i, m, /?), and we have 

since q{h, m), as defined in US]), has qi = p™Mh,n,-m-h) ^ ph_ follows that 

7" = iPa-'^f = la, 

and this cannot hold for any h' < h, by the minimality of h. Thus (i) holds when 
h < m. Now suppose h — m. Then a; = 0, 7 = /3, and I7I = > p'^ — p™. If 
\f3\ < P™, then I7I = = p'*, thus (i) also holds when h = m. 

To prove (ii), assume |/3| < p™] and I7I < p™°, and suppose 7 _L ct does not 
hold. Then there is a nontrivial relation of the form ■yP^ = a.^ , for some z e 
and j < h, since I7I — p^ by (i). We claim that z is not divisible by p' , since 

7P' = {fia-'')P' ^ pP'a-P''' = a^, 

and if pp divides z we can set t; = a; + 2; /p^ to obtain 

pP' = a.^+P'"' = {a'')P' = a'J^J'™)'' = Q;(j,m)", 

which contradicts the minimality of h. We now note that if I7I < then "fP' has 
order at most But has order greater than p™°^^ , since some Zi is not 

divisible by p^ , and therefore |a^'| > p'^^~i > p™°~^ , yielding a contradiction. □ 

Lemma S] not only tells us how to find independent elements, it gives sufficient 
conditions to ensure that this is possible. This yields a remarkably simple algorithm 
to construct a basis from a generating set S. 

Start with a consisting of a single element of S with maximal order p™. Every 
P & S then satisfies |/?| < = p™", and we may use Algorithm [T] to compute an 
independent 7 = /3q;^^ for each p. We can then choose one with maximal order to 
extend our basis a, and continue in this fashion until we have a basis spanning the 
entire group generated by S. 
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Algorithm 4. Given a subset S of a finite abelian p-group, the following algorithm 
computes a basis ot for G = (S) : 

1. Set q; ^ and compute hi logp \f3i\ for each f3i £ S. 

2. If every hi — 0, return a. 

Otherwise pick a maximal hi, set a ^ a o f3i, then Pi <— and hi <— 0. 

3. For each hi > 0: 

a. Compute {x,h) ^ DL*{a.,Pi) using Algorithml^l 

b. Set Pi ^ PiOt^^ and hi ^ h. 

4. Go to Step 2. 

After Step 1 we have (triviaUy) Pi J- a for aU Pi, and after Step 2 we must have 
hi < min(logp la^l) for all hi. By Lemma HI these statements remain true after 
Step 3, and at every step the algorithm ensures that hi = log^ \Pi\ and {a, S) = G. 
If every hi — 0, then (S) is trivial and a is a basis for G. Some nonzero hi is set to 
zero each time Step 2 is executed, so this eventually happens. Note that when an 
element Pi is appended to a, its order p^' is known, as desired. 

Proposition 2. Given a set S that generates an abelian group G of size p", expo- 
nent p™ , and rank r, there is a generic algorithm to compute a basis for G using 

T.iS) < c( ;Y;^l'l Ig \G\ + V-^'/^ + (1^1 - r)To,(G)) , 
Vlglg(m-|-2) r ^ ' / 

group operations, where Toi^{G) is as in Proposition^ andc is an absolute constant 
independent of S and G. 

Proof. We apply Algorithm [U setting t = 1 in Algorithm [3l We assume that a 
table of all nontrivial p'th powers of each element of a is maintained throughout, 
for a total cost of at most 21g|G'| group operations (this table can also be made 
available to Algorithm [31 avoiding the need for any precomputation). For each 
P G S, computing |/3| in Step 1 requires less than 277ilgp group operations. The 
cost of all the exponentiations in Step 3b related to P is bounded by 21g jCj (if we 
consider x = DL{a., P) for the initial value of p relative to the final basis a, each 
base-p digit of x is "cleared" in Step 3b at most once). The total cost of all steps 
other than 3a is thus 0(151 Ig \G\) group operations, which is bounded by the sum 
of the first and last terms in the bound for Tb{S), for a suitable constant c. 

We now consider the cost of Step 3a for those P = Pi & S ior which hi is never 
chosen in Step 2, meaning Pi is never appended to a. There are exactly 15*1 — r 
such p. For each base case that succeeds in some computation DL*{a, P), the order 
of P is reduced by a factor of p in Step 3b, so there are at most m successful base 
cases relevant to P in the entire execution of Algorithm [H Ignoring the cost of 
reaching the first base case, and failed base cases, the successful part of all the 
DL*(a, P) computations involving P corresponds to a single computation DL(a, P) 
with respect to the final basis ex. for G, which we bound by Tdl(G). 

When computing DL*(q;,/3), reaching the first base case involves exponentiat- 
ing P (and precomputing a(j, fc), but this was addressed above). The order of P is 
bounded by the order of the most recently added component of a, hence the total 
cost of all the initial exponentiations of P is at most X]I=i 21g|ai| = 21g|G|, which 
is bounded by a constant factor of Tdl(G). Summing over the jS*! — r elements P 
yields the term (l^l - r)T^^{G) in the bound for T^{S). 



14 



ANDREW V. SUTHERLAND 



It remains to consider the cost of Step 3a for the elements /3i , . . . , /3r that are at 
some point appended to a.. With rii = logp |ai|, we have m — ni > ■ ■ ■ > rir > 1. 
Define m.^ — Ui — n^+i for 1 < i < r — 1, and let f{x) — x\g{x + l)/lglg(x + 2). 
Excluding base cases, the successful part of all computations DL*(Q:,/3i) may be 
bounded, as in Proposition [1] by a constant factor of 
1 — 1 

(16) ^(r-z)/(m,)lgp < (r-l)/(m)lgp < lM!l±^lg|G|, 

lglg(m + 2) 

where we have used ^ firrii) < f{m) for positive integers with ^rrii < m. As 
above, the total cost of reaching the first base case in the computations DL*(a, Pi) 
for (3i is at most 21g|G'|, which may be incorporated into (|16p. yielding the first 
term of the bound for Tb{S). 

Finally, we consider the cost of the base cases occurring for f3i,. . . ,i3r- In the 
ith iteration of Step 3a, there are r — i elements Pi which have yet to be appended 
to a, and exactly one base case fails for each of these. Thus we may bound the 
cost of all failed base cases by a constant factor of 

(17) J:ir~^)p^f^<J^^^^<12pi^^^^^^ 

For the successful base cases, let rj be the rank of the subgroup of p^th powers 
in G, as in Proposition [1] so that n = + ■ ■ ■ + r„j_i. For each rj we obtain a sum 
of the form (|17p . and note that, as in Corollary[Tl we may bound the cost to within 
a constant factor by assuming the rj are all approximately equal to r. In this case 
we have m — \n/r~\, yielding the term {n/r)p^^^^^/'^ in the bound for T-b{S)^ which 
also covers the failed base cases, for a suitable choice of c. □ 

If we are given a set S of independent elements, Proposition [2] implies that we 
can typically verify that 5' is a basis for G — (S) more quickly than we can compute 
discrete logarithms in G. In fact this is true whenever \S\ = r, even if the elements 
of S are not independent. More generally, we have the following corollary. 

Corollary 2. Given a generating set S for a finite abelian p-group G of rank r, 
with \S\ — r + 0{1), there is a generic algorithm to compute a basis for G using 

T^iG) = 0(lg2+'|G|)+0(ro,(G)) = 0(|Gr/2) 

group operations. 

When a generating set is not available, or when \S\ ^ r, we may instead use a 
probabilistic algorithm to construct a basis from randomly sampled elements of G. 
If r is known (or bounded). Corollary [5] can be applied to a randomly generated 
subset 5 C G of size r+t to obtain a generic Monte Carlo algorithm that is correc 
with probability at least 1 — p^*. This follows from the lemma below, whose proof 
can be found in [2T, Eq. 2] and also [U Lem. 4]. 

Lemma 5. Let G be a finite abelian p-group of rank r, and let S he a sample of 
s > r independent and uniformly distributed random elements of G. 

s 

Then S generates G with probability Yl (l ~P > 1 ~ p^^"- 

j—s—r+l 



^'^This algorithm always outputs a basis for a subgroup H of G, but it may be that H < G. 
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In general, we do not know the rank of G, a priori. Indeed, determining r may 
be a reason for computing a basis. In this situation we could apply Algorithm [4] 
to progressively larger randomly generated sets S until jS*! > r + t, where r is the 
rank of (S) and t is a constant. However, a more efficient approach is to simply 
select random /3 e G, using the black box or via Lemma [6] below, and attempt to 
use Lemma |4] to extend the current basis. 

This eliminates the loop in Step 3 of Algorithm [H but we must now address the 
situation where Lemma 2] fails to apply (|/3| > or I7I > p™°). It may happen 
that the basis we have constructed cannot be extended to a basis for G, and in this 
case we need to backtrack. Fortunately, this is easy to detect (and correct), and 
has negligible impact on the expected running time. 

Algorithm 5. Given a randomized black box for a finite abelian p-group G and 
t G Z>o, the following algorithm computes a basis a for a subgroup H of G, where 
H ^ G with probability at least 1 — p~* : 

1. Set s ^ 0. Pick a random ai G G and set a <— (ai). 

2. If s = t then return ex. 

3. Pick a random f3 E G and compute {x, h) ^ DL*{a., (3). 

4. If /i = then increment s and go to Step 2, otherwise set 7 ^ /3q:~^. 

5. For each Ui with \oLi\ < remove from a and set s <~ 0. 

6. Set a ^ a o 7 and go to Step 2. 

The correctness of Algorithm [S] depends on an easy corollary to Lemma |31 If we 
let the (possibly empty) vector a' consist of those components of a that satisfy 
> I7I, then 7 _L a' (the proof is the same). It follows that after Step 6, a 
is a basis for the subgroup it generates (this is obviously also true after Step 1). 
When the algorithm terminates, it has found t (independent, uniformly distributed) 
random elements /3 € G that lie in H = {a). If _ff is a proper subgroup of G, it 
must be smaller by a factor of at least p; the probability that t random elements 
/3 € G all happen to lie in H is then at most p~*. 

Proposition 3. Given a randomized black box for a finite abelian p-group G of 
rank r, exponent p™, and size p", and t G Z>o, there is a probabilistic generic 
algorithm that computes a basis for a subgroup H of G using an expected 

mC) < ,( ^lg(^+l) ig|G| + !^^(.-i)/2W,T.^(G) ^ 
Vlglg(m + 2) r / 

group operations, such that H ^ G with probability at least 1 — p^*. The absolute 
constant c is independent of both t and G. 

Proof. We apply Algorithm [5] If it never backtracks (removes elements from a in 
Step 5), the final basis a is obtained from the first r random elements, and then t 
discrete logarithms are computed using this basis. In this case, the bound Tg[G) 
follows from an argument similar to that used in the proof of Proposition [21 with 
151 = r (and a better constant factor). We will show that the expected cost of 
Algorithm [5] is within a constant factor of the cost arising in this ideal scenario. 

Let OL = (ai, . . . ,ar) be the final basis output by Algorithm [51 and note that 
|q;i| > \a2\ > ... > |Q!r|. As the computation proceeds, for each k from 1 to r, 
there is a stage k where a.k-i — (ai, . . . , ctk-i) is a (possibly empty) prefix of the 
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final basis, and the algorithm is in the process of determining ak- This may involve 
extending and then backtracking to the prefix ctk-i (several times, perhaps), but 
once Qffe is determined, we have the prefix cxk and transition to stage fc + 1. If 
no backtracking occurs, the algorithm completes stage 1 after Step 1, and a single 
computation of DL* {a.k, (3) is required for each stage fc > 1. From Proposition [U 
the cost of this computation may be bounded by 

fc-l 1 / I 1 \ m- l 

where ci is a constant, rii — logp |ai|, and the ranks rj < fc — 1 are as in Proposi- 
tion [TJ Let Ak and Bk denote the two sums in Sk, including the factor ci. 

We now consider the probability that the computation DL* {a.k-i, (3) completes 
stage fc. Let z be the discrete logarithm of f3 relative to the final basis a. Provided 
that Zk is not divisible by p, when h is computed in Step 3 we will have h — Uk, 
and compute 7 = afe in Step 4, since no subsequent computation can yield an 
independent element of order greater than nk (since rij < Uk for j > fc). Thus 
for each random j3 € G processed during stage fc, the probability that we do not 
complete stage fc is at most 1/p (this is true for any extension of au-i arising 
during stage fc). Conditioning on w, the number of random (3 € G processed during 
stage fc, the expected cost of stage fc may be bounded by a sum of the form 

Tk < {l~p-^)iAk + Bk)+p-^{{l + 2)Ak + il+p'/^)Bk) + ... 

where b = l/(\/p— 1). We have assumed here, as a worst case, that after processing 
each f3 the current basis is extended by a 7 that maximizes the cost of subsequent 
discrete logarithm computations. For each increment in w we suppose that \{a)\ 
increases by a factor of |(Q:fe_i)| (in fact, it increases by at most a factor of jafc^ij), 
and that every rj increases by 1. 

The second sum in (fT8|) is a geometric series, bounded by b/{p ~ y/p) < 5. 
Summation by parts yields the identity 

h\ ^ J iP-ir' 

allowing us to bound the first sum in ^TE\i by 4. Hence Tj, < C2<S'fc for a constant 
C2 < 6, and the bound on Tg{G) follows. The correctness probability was addressed 
above, and clearly c = C1C2 is independent of t and G. □ 

In practice, the constant c in Proposition [3] is quite small and T^{G) « tT-oi,{G), 
even when p — 2 (the worst case, as far as the constant factors are concerned). 
When T^i^(G) is dominated by p^^"^, the constant t can be improved to ^/t using a 
baby-steps giant-steps approach, as discussed in Section [H 

If we are given a bound M satisfying M <\G\ < pM (perhaps M = \G\), we can 
easily convert Algorithm [5] from a Monte Carlo algorithm to a Las Vegas algorithm 
by replacing the test "s = f" in Step 2 with "|(a)| > M" (note that |(a)| = H 

We now give a method to construct uniformly random elements of G from a 
generating set S. This is useful in general, and allows us to apply Algorithm [5] to 
a generating set 5", which may be faster than using Algorithm [4] when \S\ 3> r. 
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Lemma 6. Given a generating set S for a finite ahelian group G with exponent 
p"^ — E, and t G Z>o, there is a generic algorithm to compute t independent, 
uniformly random elements of G using 

Tn{S,t) < {3lgE)\S\ + 2t f-M^±iIL + \s\ 



riglg(i? + 2)l 

group operations and storage for at most t + lgE group elements. 

Proof. We represent 5 as a vector 7 = (71 ,...,75). To construct random elements 
Pi,..., fit, first set each f3j to Iq, then, for each -fi, compute = select t 
uniformly random integers Zij G [0,p"'), and set (3j ^ PjlT'^ ^^"^ e&c\\ j. We 
assume all the Zij are chosen independently. 

The cost of computing |7i| is at most 2m\gp — 2lgE group operations. By 
Yao's Theorem, the cost of t exponentiations of the common base 7^ is at most 

group operations, where c < 2. Accounting for the multiplication by f3j and sum- 
ming over the 7^ yields the bound Tfi{S,t). We only need to store the (3j and at 
most Ig E powers of a single 7^ at each step (we don't count the size of the input 
set S, since we only access one element of S" at a time). 

Clearly the (3j are independent; we must show each is uniformly distributed 
over G. Let H = Z/p"^Z x ••• x Z/p"=^Z. The map ip : H ^ G that sends 
z to 7^ is a surjective group homomorphism, and we have (3j — f{z), where 
z — (zi.j, Z2,j . . . , Zsj) is uniformly distributed over H. As each coset of ker ip has 
the same size, it follows that (3j is uniformly distributed over G = H/ ker (p. □ 

In practice, we may wish to generate random elements "on demand" , without 
knowing t. We can generate random elements in small batches of size i w Ig lg(i5-t-2) 
to effectively achieve the same result. If S is reasonably small, the first term of 
Ti^ {S, t) may be treated as a precomputation and need not be repeated. 

Provided that \S\ = 0(|G|^/^~'^), we may apply Lemma IH] and Proposition [3] 
to compute a basis for G = {S), with high probabihty, using 0(|G|^/^) group 
operations. By contrast, Algorithm 2] uses 0(|S'||G|^/^) group operations when S is 
large, as does the algorithm of Buchmann and Schmidt [8 . However, we note that 
both of these algorithms arc (or can be made) deterministic. 

5. Constructing a basis in the general case 

We now suppose that G is an arbitrary finite abelian group. If we know the 
exponent of G, call it A(G), and its factorization into prime powers, we can easily 
reduce the computation of a basis for G to the case already considered. In fact, 
it suffices to know any reasonably small multiple N of A(G), including TV = |G|. 
Factoring A'^ does not require any group operations, and is, in any event, a much 
easier problem than computing A(G) in a generic group, hence we ignore this cost [3 

As shown in the author's thesis, A(G) can be computed using o(|G|-^/^) group 
operations [26j . This bound is strictly dominated by the worst-case complexity of 
both the algorithms presented in the previous section, allowing us to extend our 



^^We have subexponential-time probabilistic algorithms for factoring versus exponential lower 
bounds for computing the group exponent with a probabilistic generic algorithm [3]. Most deter- 
ministic factoring algorithms are already faster than the n{N^/^) lower bound of [26] Thm. 2.3]. 
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complexity bounds for abelian p-groups to the general case. The basic facts needed 
for the reduction are given by the following lemma. 

Lemma 7. Let G be a finite abelian group and let N be a multiple of X{G). Let 
Pi, . . . ,pk he distinct primes dividing N , and let Gp. be the Sylow pi-subgroup of G. 

(i) Given a generating set S for G, one can compute generating sets Si, . . . ,Sk 
for Gp^, . . . ,Gp^, each of size \S\, using O {\^S\\^'^'^ group operations. 

(ii) Given a uniformly distributed random (3 G, one can compute elements 
(3i, . . . , Pk uniformly distributed over the groups Gp^, . . . , Gpj. [respectively) , 
using O (Ig^^*^ N) group operations. 

Proof. Let Ni be the largest divisor of N relatively prime to pi. Given /? G 5, or a 
random /3 e G, we compute Pi — /3^'^ , . . . , f3k — with either Algorithm 7.3 or 
Algorithm 7.4 of [55], using 0(lg^'''^ iV) group operations 

The map (pi : G ^ Gp. sending (3 to (3^^ is a surjective group homomorphism, 
invertible on Gp. C G. Thus if S generates G, then Si — (j)i{S) generates Gp^ , which 
proves (i). If (3 is uniformly distributed over G, then (f>i{(3) is uniformly distributed 
over Gp. , proving (ii) . □ 

We now extend Propositions [5] and [3] to arbitrary finite abelian groups. To 
simplify the statement of results, we suppose that N is equal to either A(G) or |G|. 

Proposition 4. Let G be a finite abelian group whose nontrivial Sylow subgroups 
are Gp.^, . . . , Gp^, and suppose that the exponent [resp. order) of G is given. Let S 
he a generating set for G, with Si as in Lemma^ 

(i) There is a generic algorithm to compute a basis for G which uses 

0(1^1 lgi+^|G|) + J2Tb{S^) 
group operations, where TB(S'i) is hounded as in Proposition\^ 

(ii) Given a randomized black box for G, there is a Monte Carlo (resp. Las 
Vegas) generic algorithm to compute a basis for G using an expected 

0(lg2+^|G|) + ^T*(GpJ = 0(|Gr/2) 

group operations, where Tg{Gp.) is bounded as in Proposition\^ 

Proof, (i) is immediate from Lemma [7] and Proposition^ (ii) follows similarly from 
Proposition [3] and the comments following, using the bound 

from Lemma ini □ 

Corollary 3. Given a randomized black box for a finite abelian group G, there is a 
probabilistic algorithm to compute a basis for G using 0(|G|^/^) group operations. 

Proof. Algorithm 8.1 of [26] computes N ~ A(G) (with high probability) using 
o{\fN) group operations, assuming Algorithms 5.1 and 5.2 of [26] are used for 
order computations. The corollary then follows from (3) of Proposition IH □ 

^"^ Algorithm 7.3 is due to Celler and Leedham-Green |10| . 
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If we are given a generating set S with \S\ — 0{\G\-'-/^^'^), we may apply Lemma[6] 
to obtain an analogous corollary. 

The space required by the algorithms of Proposition 0] and Corollary [3] can be 
made quite small, polynomial in IglG], using algorithms based on Pollard's rho 
method to handle the base cases of the discrete logarithm computations, and also 
the search used in Algorithm 5.1 of |26j . If this is done, the complexity bound for 
computing A(G) increases to 0{N^^'^) (but will typically be better than this). 

It is not necessary to use a particularly fast algorithm to compute A(G) in order 
to prove Corollary[31 any 0{N^/^) algorithm suffices. However, the time to compute 
a basis for G is often much less then |G|^/^ group operations, as the worst case may 
arise rarely in practice. Applying Algorithms 5.1 and 5.2 of [26] yields considerable 
improvement in many cases o 

These comments are especially relevant when one only wishes to compute a basis 
for a particular Sylow p-subgroup H oi G (perhaps as a prelude to extracting pth 
roots in G). Once we have computed A(G), we can compute a basis for any of G's 
Sylow subgroups with a running time that typically depends only on the size and 
shape of the subgroup of interest, not on G. The following proposition follows 
immediately from Lemma [7] and Proposition [31 

Proposition 5. Let H be a Sylow p-subgroup of a finite abelian group G. Given 
a multiple N of the exponent of G and a randomized black box for G, there is a 
probabilistic generic algorithm to compute a basis for H using 

0{r\g^+' N)+T^{H) = 0{r\g'+'N+\H\^/^) 

group operations, where r is the rank of H . 

6. Performance results 

We tested the new algorithms on abelian p-groups of various sizes and shapes in 
order to assess their performance. As in previous sections, G is an abelian group 
of size p", exponent p™, and rank r, whose shape is given by a partition of n into r 
parts, with largest part m. 

We present here results for p — 2, as this permits the greatest variation in the 
other parameters, and also because the Sylow 2-subgroup is of particular interest 
in many applications. Results for other small primes are similar. When p is large, 
the results are not as interesting: n, r, and m are all necessarily small and the 
computation is dominated by the discrete logarithms computed in the base cases, 
whose &{p^^^) performance is well understood. 

Our tests in p-groups used a black box which represents each cyclic factor of G 
using integers mod p"' . This is a convenient but arbitrary choice. Identical results 
are obtained for any black box implementation, since the algorithms are generic. 
Our performance metric counts group operations (multiplications and inversions) , 
and does not depend on the speed of the black box or the computing platforml^i 

To compute discrete logarithms in the base cases, we used Shanks' baby-steps 
giant-steps algorithm [22] extended to handle products of cyclic groups. Rather 
than the lexicographic ordering used by Algorithm 9.3 of [26], we instead compute 

^•^For example, Teske reports computing a basis for the ideal class group G of Q[-\/D], with 
D = -4(10^" + 1), using 243, 207, 644 7.1|G|i/2 gj-oup operations [28]. In [26], a basis for G is 
computed using 250,277 ^ 2.4|G|i/3 

group operations. 

-'^^Thus the performance results reported here are not impacted by Moore's law. 
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n\r 


1 


2 


4 


8 


16 


32 


32 


113 


89 


76 


94 


669 


97936 


64 


261 


204 


172 


194 


853 


163750 


128 


591 


455 


380 


370 


1501 


197518 


256 


1268 


1021 


833 


760 


2065 


328839 


512 


2718 


2165 


1770 


1607 


3760 


395187 


1024 


5949 


3931 


3755 


4601 


5745 


657965 



Table 1. Group operations to compute DL{a,0) in G = (Z/2"/''Z)'^. 



a Gray code |13j when enumerating steps, always using one group operation per 
step (this is especially useful for small p, saving up to a factor of 2). A more 
significant optimization available with Shanks' method is the ability to perform k 
discrete logarithms in a group of size N using (rather than 2k^/N) group 

operations by storing ^/kN baby steps in a lookup table and then taking \/ N/k 
giant steps as each of the k discrete logarithms is computed 

This optimization is useful in Algorithms [T] and [3l even for a single discrete 
logarithm computation, as there may be many base cases in the same subgroup. 
It is even more useful in the context of Algorithms [4] and [5l as several calls to 
Algorithm [3] may use the same basis. In the bound for T-ai,{G) in Corollary [1] this 
effectively replaces the factor n/r by ^Jrifr. When the rank-dependent terms in 
'7dl(G) dominate sufficiently, the bounds in Propositions [2] and [3] can be improved 
by replacing jS*! — r with \J\S\ — r\ and i with \/i (respectively). 

Table 1 lists group operation counts for Algorithm [1] computing discrete loga- 
rithms in 2-groups of rectangular shape, corresponding to partitions of n into r 
parts, all of size m — n/r. Each entry is an average over 100 computations of 
DL(a, (3) for a random [3 ^ G. Precomputation was optimized for a single discrete 
logarithm (repeated for each (3) and these costs are included in Tabled] Reusing 
precomputed values can improve performance significantly over the figures given 
here, particularly when additional space is used, as in [27]. 

Algorithm 1 used the parameter t = [(Ign— 1)/tJ in these tests, which was near 
optimal in most cases. The optimal choice of w is slightly less than that used in 
the proof of Proposition [T] as the average size of the exponents is smaller than the 
bound used there. For each entry in Table [T] if one computes the bound on Tdl(G') 
given by Proposition [1] we find the constant c close to 1 in most cases (never more 
than 1.5). In the first four columns of Table [1] the counts are dominated by the 
exponent-dependent terms of Tdl(G), explaining the initially decreasing costs as r 
increases for a fixed value of n (r is larger, but m = n/r is smaller). 

Table ^ compares the performance of Algorithm [1] to Teske's generalization of 
the Pohlig-Hellman algorithm on groups of order 2^^^ with a variety of different 
shapes. The baby-steps giant-steps optimization mentioned above is also applicable 
to Teske's algorithm (with even greater benefit), and we applied this optimization 
to both algorithms. The figures in Table [2] reflect averages over 100 computations 
of DL{a.,f3) for random (3 e {a). 



'One uses baby steps to optimize tlie expected case, assuming /3 £ (ct). 
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Group 


Structure 


Pohlig-Hellman-Teske 


Algorithm 1 


Gi 


256 


32862 


1268 


G2 


128- 64- 32- 16- 8 •4- 2 -12 


8736 


1095 


Gs 


1616 


2065 


1036 


G4 


26-22-21-20---3-2-1 


17610 


6647 


G5 


128 • 322 . §4 . 28 . 1I6 


534953 


84047 




226 • 1^0 


1075172 


81942 



Table 2. Computing discrete logarithms in groups of order 2 



The notation a ■ b" indicates the group 1/2''Z x (Z/2*Z)''. 



Two advantages of Algorithm [T] are apparent in Table [21 In the first two rows, 
the complexity is dominated by m, and Algorithm [1] has a nearly linear dependence 
on m, versus a quadratic dependence in the algorithms of Pohlig-Hellman and 
Teske. In the last two rows, the complexity is dominated by p''/^. Algorithm 1 
computes just one base case in a subgroup of size p'', due to the shapes of the 
groups, while Teske's algorithm computes m base case in a subgroup of size (using 
0{m}-/'^p^/'^) group operations, thanks to the baby-steps giant-steps optimization). 

Table [3] presents performance results for Algorithms [4] and [5] when used to con- 
struct a basis for four of the groups listed in Table [2l The group operation counts 
are averages over 100 tests. The first four rows list results for Algorithm 2] when 
given a random generating set S of size r -f t. The case t = is of interest because 
it covers the situation where S is itself a basis, hence it may function as a basis ver- 
ification procedure. The costs in this case are comparable to the cost of computing 
a single discrete logarithm in the group generated by S (this improves for p > 2). 

The last four rows of Table [3] give corresponding results for Algorithm [5] using a 
randomized black box. In the first row for Algorithm [51 the algorithm is given the 
order of the group and runs as a Las Vegas algorithm, terminating only when it 
has found a basis for the entire group. In the remaining rows. Algorithm [5| is used 
as a Monte Carlo algorithm, correct with probability at least 1 — p~* . 
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G2 


G3 




G5 


Algorithm [4| 





897 


1739 


9231 


169633 




20 


27077 


15383 


50528 


406102 




40 


45741 


24946 


71752 


586501 




80 


82921 


44337 


111451 


788065 


Algorithm [5| 




12727 


2770 


49219 


372876 




20 


27725 


15027 


68362 


494345 




40 


44137 


26066 


79950 


587645 




80 


76054 


40843 


109257 


936478 



Table 3. Computing a basis for groups of order 2' 
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8. Appendix 

The inequality below is elementary and surely known. Lacking a suitable refer- 
ence, we provide a short proof here. 

Lemma 8. For any real number a > 1 there is a constant c < a/c"'^"'"'"''^" such that 
for all real numbers Xi, . . . , x„ > a {and any n), 



E 



Proof. We assume xi < ■ ■ ■ < Xn- If we fix ^ , we can only decrease Yi^i by 
supposing Xn-i — a, since if Xn~i — a + S, we have 

Xn-lXn = 0,Xn + 5Xn < aXn + Sa = a{Xn + S) . 

We now assume xi — ■ ■ ■ — Xn-i — a and Xn — a + 5 with 6 > 0. Since 

m - E-./n-. - 

is a decreasing function of S, we maximize ^i/ 11 by assuming a;„ = a as well. 

Thus it suffices to consider the case X^-^i/n-^j ~ na/a", and we now view 
g{n) = na/aJ^ as a function of a real variable n, which is maximized by n = 1/ Ina. 
Therefore, we may bound X^i/Il^i by (l/lna)/a^/'"° = a/e^+'"'"°, and the 
lemma follows. □ 

The bound on c given in the lemma is not necessarily tight, since n must be an 
integer. If we note that g{n) = na/a^ is increasing for n < 1/lna and decreasing 
for n> 1/lna, it follows that the best possible c is 



(19) c = min g 



1 

Ina 



1 

Ina 



Applying ^ with a = \/2 we obtain the following lemma. 
Lemma 9. For any integers xi, . . . ,Xn > i we have X — f 11 y/^- 
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